GDPR – Are you ready?

Compliance begins with Enterprise Information Management.

Effective May 25, 2018, the European Parliament entered into force the General Data Protection Regulation or GDPR. The Regulation will have a significant impact on organizations in all industry sectors, bringing with it both challenges for compliance as well as opportunities to achieve competitive advantage.

Overview

GDPR & EIM

RESOURCES

What is the GDPR?

The GDPR is the new European Union data privacy legislation to modernize and reform the laws that address the handling of personal data of European Union residents. It represents the biggest overhaul of the world’s privacy rules in more than 20 years.

Highlights

The GDPR applies to all 28 EU member states and has the full force of the law.

It applies to EU citizens’ personal data, regardless of where it is collected, stored, or processed – whether inside or outside of the EU.

If your company collects and stores the personal data of EU citizens, the GDPR is relevant to your organization, even if you don’t have a formal presence in the EU zone.

There was a transition period of two years for organizations to implement compliant processes. The deadline was May 2018.

The GDPR does not apply to the processing of personal data as it pertains to matters of national security or "purely personal or household activity."

Notable Changes

Stricter consent rules

The GDPR requires that individuals give unambiguous, informed consent before their data may be processed. Consent cannot be assumed from inaction.

Enhanced rights for data subjects

Individuals have more rights under the GDPR including rights to: have their personal data erased, have inaccurate data corrected, be removed from digital marketing, and request personal data be ported to another service provider.

Data breach notification

Organizations must notify those whose data has been breached, within 72 hours of the breach.

Increased accountability measures

There are a number of new governance requirements for subject organizations, including conducting privacy impact assessments and appointing a data protection officer.

Substantial fines

Maximum penalties are €20 million or 4% of annual global revenue, whichever is greater.

Data Minimization vs Data Maximization

Today, most businesses and their marketing teams follow the practice of data maximization, that is, collecting as much data about consumers as possible, sometimes before they know exactly what, how, or when that data will be used. In addition they will extract as much value out of this data as they can, including at times, reusing it for various purposes or even selling it to another party. One of the biggest tenets of the GDPR is the principle of data minimization, that is, that firms collect only the smallest amount of personal data for the shortest period of time possible, and delete it as quickly as possible after its specific purpose is completed.

Since the Regulation began being enforced in May 2018, organizations need to act now to ensure that they comply.

An important first step will be for organizations to have clarity on how they manage personal information, including:

What personal data they process

Where it is stored across the organization

Who has access to it

What consent has been provided and where it is documented

Where it is transferred from and to (including to third parties and cross-border)

How it is secured throughout its lifecycle

If there are processes in place to dispose of personal data, as per policy

OpenText Business Network utilizes important security protocols such as encryption in transit and at rest; information passed through the OpenText Cloud fax network and OpenText Business Network Cloud network is protected end-to-end.